问题
I'm new to laravel and use this as a input query:
DB::table('user_input')->insert(array(
array('fname' => Input::get('Name'),'lname' => 'no','email' => Input::get('E-Mail'),'date_from' => $from_date,'date_to' => $to_date,'phone' => Input::get('Phone'),'message' => Input::get('Message'),'ip_address' => Request::getClientIp(), 'newsletter' => Input::get('Sign-up'))
));
which I would never do like that in standard php, as the query doesn't seem to be prepared and I put user input directly into above query.
Is there a automatic preparation in Eloquent ORM which I haven't recognized or how would I write a prepared statement with Eloquent?
回答1:
Eloquent does the PDO style prepared statements behind the scenes to protect against things like sql injection. Eloquent models also protect against mass assignment by default. An exception will be thrown unless you specifically note the columns of the database that should be guarded or the inverse (the ones that should be fillable).
http://laravel.com/docs/4.2/eloquent#mass-assignment
If you want to dig further in, you can look at the class
/vendor/laravel/framework/src/Illuminate/Database/Query/Builder.php`
to see how laravel constructs the queries in Eloquent.
来源:https://stackoverflow.com/questions/27131856/prepared-statement-with-eloquent-orm-laravel